Pages

Saturday, 24 May 2014

Password security

The way that people get your password, is by using the fact that people cannot remember 100 different passwords. And unimaginative security people have been telling users "don't write your password down", because that's what someone told them when theywent on the two-day Security Essentials course.

But security people have rarely said "don't use the same password on mutliple places", because it's only rather recently that ordinaryusers have wanted logins to several dozen places.

And he has understood that he can't use "password" for his password, or "letmein". He's taken on board that he needs to use somethinghard to guess, like qidGR63*n12dskwian

So, Joe K User uses his email address as his username, because why not?joekuser@gmail.com. And he uses the same password for Ebay, Paypal, his bank, and every web site that he visits that asks for registration.He can just about remember qidGR63*n12dskwian; no way could he remembera hundred passwords like that.

And no-one told him "don't use the same password on mutliple places".

Username joekuser@gmail.comPassword qidGR63*n12dskwian

Except me. I've been telling people for 25 years, "Use a different password each time you need one, and remember them by writing them on apiece of paper, that you carry in your wallet". And I give a few simple waysto avoid getting a problem if someone steals that paper. Like, for example,the way I remember my PIN numbers. I write them down, carry the paperin my wallet, but what I write down is different from the real numberby a fixed amount, so all I need to remember is my fixed amount. I alsohave the code for my bike lock. I'm useless at remembering things.

So, one day he logs in to "kittensarecute.com", registers his usernamejoekuser@gmail.com and password qidGR63*n12dskwian

And looks at all the cute kittens.

But what he doesn't know, is that kittensarecute.com is run by some Bad People, and the Bad People are building up a list of usernamesand passwords, and they sell them to Other Bad People, who runthrough the list on Ebay, or Paypal, and several banks.

And, of course, they get hits. Despite the fact that Ebay, and Paypal, and the bank, are all using hashing, and salting, and peppering. And, by the way Joe User's Ebay account is linked to his Paypalaccount, so you can see how that goes.

So here's the thing.

Length of password doesn't matter, if you're cracking them this way.Complexity doesn't matter. Writing them down doesn't matter. The onlything that matters is to use a different password on each web site.

But.

Ebay can't force you to use a different password from your bank. BecauseEbay doesn't know your bank password, and quite right too.Paypal can't force you to use a different password from kittensarecute.com

So the answer is user education. And we all know how well that works.Is there another answer? Sort of.

Web sites could force the user to choose a password that is very likelyto be different from the password that he uses elsewhere. For example,force the user to have four digits included in his password. Orforce the user to have four letters chosen from [wxyz]. So that whenhe chooses the password qidGR63*n12dskwian on kittensarecute.com,he isn't able to use that password on your web site. Or insistthat the first four characters of the password are capitalised.

Does this solve all password problems? No, it doesn't. But it goes along way towards fixing the biggest one.